1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2004, Instant802 Networks, Inc. 4 * Copyright 2008, Jouni Malinen <j@w1.fi> 5 * Copyright (C) 2016-2017 Intel Deutschland GmbH 6 * Copyright (C) 2020-2023 Intel Corporation 7 */ 8 9 #include <linux/netdevice.h> 10 #include <linux/types.h> 11 #include <linux/skbuff.h> 12 #include <linux/compiler.h> 13 #include <linux/ieee80211.h> 14 #include <linux/gfp.h> 15 #include <linux/unaligned.h> 16 #include <net/mac80211.h> 17 #include <crypto/aes.h> 18 #include <crypto/utils.h> 19 20 #include "ieee80211_i.h" 21 #include "tkip.h" 22 #include "aes_ccm.h" 23 #include "aes_cmac.h" 24 #include "aes_gmac.h" 25 #include "aes_gcm.h" 26 #include "wpa.h" 27 28 ieee80211_tx_result 29 ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx) 30 { 31 u8 *data, *key, *mic; 32 size_t data_len; 33 unsigned int hdrlen; 34 struct ieee80211_hdr *hdr; 35 struct sk_buff *skb = tx->skb; 36 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 37 int tail; 38 39 hdr = (struct ieee80211_hdr *)skb->data; 40 if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP || 41 skb->len < 24 || !ieee80211_is_data_present(hdr->frame_control)) 42 return TX_CONTINUE; 43 44 hdrlen = ieee80211_hdrlen(hdr->frame_control); 45 if (skb->len < hdrlen) 46 return TX_DROP; 47 48 data = skb->data + hdrlen; 49 data_len = skb->len - hdrlen; 50 51 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) { 52 /* Need to use software crypto for the test */ 53 info->control.hw_key = NULL; 54 } 55 56 if (info->control.hw_key && 57 (info->flags & IEEE80211_TX_CTL_DONTFRAG || 58 ieee80211_hw_check(&tx->local->hw, SUPPORTS_TX_FRAG)) && 59 !(tx->key->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC | 60 IEEE80211_KEY_FLAG_PUT_MIC_SPACE))) { 61 /* hwaccel - with no need for SW-generated MMIC or MIC space */ 62 return TX_CONTINUE; 63 } 64 65 tail = MICHAEL_MIC_LEN; 66 if (!info->control.hw_key) 67 tail += IEEE80211_TKIP_ICV_LEN; 68 69 if (WARN(skb_tailroom(skb) < tail || 70 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN, 71 "mmic: not enough head/tail (%d/%d,%d/%d)\n", 72 skb_headroom(skb), IEEE80211_TKIP_IV_LEN, 73 skb_tailroom(skb), tail)) 74 return TX_DROP; 75 76 mic = skb_put(skb, MICHAEL_MIC_LEN); 77 78 if (tx->key->conf.flags & IEEE80211_KEY_FLAG_PUT_MIC_SPACE) { 79 /* Zeroed MIC can help with debug */ 80 memset(mic, 0, MICHAEL_MIC_LEN); 81 return TX_CONTINUE; 82 } 83 84 key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY]; 85 michael_mic(key, hdr, data, data_len, mic); 86 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) 87 mic[0]++; 88 89 return TX_CONTINUE; 90 } 91 92 93 ieee80211_rx_result 94 ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) 95 { 96 u8 *data, *key = NULL; 97 size_t data_len; 98 unsigned int hdrlen; 99 u8 mic[MICHAEL_MIC_LEN]; 100 struct sk_buff *skb = rx->skb; 101 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 102 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 103 104 /* 105 * it makes no sense to check for MIC errors on anything other 106 * than data frames. 107 */ 108 if (!ieee80211_is_data_present(hdr->frame_control)) 109 return RX_CONTINUE; 110 111 /* 112 * No way to verify the MIC if the hardware stripped it or 113 * the IV with the key index. In this case we have solely rely 114 * on the driver to set RX_FLAG_MMIC_ERROR in the event of a 115 * MIC failure report. 116 */ 117 if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) { 118 if (status->flag & RX_FLAG_MMIC_ERROR) 119 goto mic_fail_no_key; 120 121 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key && 122 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP) 123 goto update_iv; 124 125 return RX_CONTINUE; 126 } 127 128 /* 129 * Some hardware seems to generate Michael MIC failure reports; even 130 * though, the frame was not encrypted with TKIP and therefore has no 131 * MIC. Ignore the flag them to avoid triggering countermeasures. 132 */ 133 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP || 134 !(status->flag & RX_FLAG_DECRYPTED)) 135 return RX_CONTINUE; 136 137 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) { 138 /* 139 * APs with pairwise keys should never receive Michael MIC 140 * errors for non-zero keyidx because these are reserved for 141 * group keys and only the AP is sending real multicast 142 * frames in the BSS. 143 */ 144 return RX_DROP_U_AP_RX_GROUPCAST; 145 } 146 147 if (status->flag & RX_FLAG_MMIC_ERROR) 148 goto mic_fail; 149 150 hdrlen = ieee80211_hdrlen(hdr->frame_control); 151 if (skb->len < hdrlen + MICHAEL_MIC_LEN) 152 return RX_DROP_U_SHORT_MMIC; 153 154 if (skb_linearize(rx->skb)) 155 return RX_DROP_U_OOM; 156 hdr = (void *)skb->data; 157 158 data = skb->data + hdrlen; 159 data_len = skb->len - hdrlen - MICHAEL_MIC_LEN; 160 key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY]; 161 michael_mic(key, hdr, data, data_len, mic); 162 if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN)) 163 goto mic_fail; 164 165 /* remove Michael MIC from payload */ 166 skb_trim(skb, skb->len - MICHAEL_MIC_LEN); 167 168 update_iv: 169 /* update IV in key information to be able to detect replays */ 170 rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32; 171 rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16; 172 173 return RX_CONTINUE; 174 175 mic_fail: 176 rx->key->u.tkip.mic_failures++; 177 178 mic_fail_no_key: 179 /* 180 * In some cases the key can be unset - e.g. a multicast packet, in 181 * a driver that supports HW encryption. Send up the key idx only if 182 * the key is set. 183 */ 184 cfg80211_michael_mic_failure(rx->sdata->dev, hdr->addr2, 185 is_multicast_ether_addr(hdr->addr1) ? 186 NL80211_KEYTYPE_GROUP : 187 NL80211_KEYTYPE_PAIRWISE, 188 rx->key ? rx->key->conf.keyidx : -1, 189 NULL, GFP_ATOMIC); 190 return RX_DROP_U_MMIC_FAIL; 191 } 192 193 static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) 194 { 195 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 196 struct ieee80211_key *key = tx->key; 197 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 198 unsigned int hdrlen; 199 int len, tail; 200 u64 pn; 201 u8 *pos; 202 203 if (info->control.hw_key && 204 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) && 205 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) { 206 /* hwaccel - with no need for software-generated IV */ 207 return 0; 208 } 209 210 hdrlen = ieee80211_hdrlen(hdr->frame_control); 211 len = skb->len - hdrlen; 212 213 if (info->control.hw_key) 214 tail = 0; 215 else 216 tail = IEEE80211_TKIP_ICV_LEN; 217 218 if (WARN_ON(skb_tailroom(skb) < tail || 219 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN)) 220 return -1; 221 222 pos = skb_push(skb, IEEE80211_TKIP_IV_LEN); 223 memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen); 224 pos += hdrlen; 225 226 /* the HW only needs room for the IV, but not the actual IV */ 227 if (info->control.hw_key && 228 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) 229 return 0; 230 231 /* Increase IV for the frame */ 232 pn = atomic64_inc_return(&key->conf.tx_pn); 233 pos = ieee80211_tkip_add_iv(pos, &key->conf, pn); 234 235 /* hwaccel - with software IV */ 236 if (info->control.hw_key) 237 return 0; 238 239 /* Add room for ICV */ 240 skb_put(skb, IEEE80211_TKIP_ICV_LEN); 241 242 return ieee80211_tkip_encrypt_data(&tx->local->wep_tx_ctx, 243 key, skb, pos, len); 244 } 245 246 247 ieee80211_tx_result 248 ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx) 249 { 250 struct sk_buff *skb; 251 252 ieee80211_tx_set_protected(tx); 253 254 skb_queue_walk(&tx->skbs, skb) { 255 if (tkip_encrypt_skb(tx, skb) < 0) 256 return TX_DROP; 257 } 258 259 return TX_CONTINUE; 260 } 261 262 263 ieee80211_rx_result 264 ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) 265 { 266 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 267 int hdrlen, res, hwaccel = 0; 268 struct ieee80211_key *key = rx->key; 269 struct sk_buff *skb = rx->skb; 270 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 271 272 hdrlen = ieee80211_hdrlen(hdr->frame_control); 273 274 if (!ieee80211_is_data(hdr->frame_control)) 275 return RX_CONTINUE; 276 277 if (!rx->sta || skb->len - hdrlen < 12) 278 return RX_DROP_U_SHORT_TKIP; 279 280 /* it may be possible to optimize this a bit more */ 281 if (skb_linearize(rx->skb)) 282 return RX_DROP_U_OOM; 283 hdr = (void *)skb->data; 284 285 /* 286 * Let TKIP code verify IV, but skip decryption. 287 * In the case where hardware checks the IV as well, 288 * we don't even get here, see ieee80211_rx_h_decrypt() 289 */ 290 if (status->flag & RX_FLAG_DECRYPTED) 291 hwaccel = 1; 292 293 res = ieee80211_tkip_decrypt_data(&rx->local->wep_rx_ctx, 294 key, skb->data + hdrlen, 295 skb->len - hdrlen, rx->sta->sta.addr, 296 hdr->addr1, hwaccel, rx->security_idx, 297 &rx->tkip.iv32, 298 &rx->tkip.iv16); 299 if (res != TKIP_DECRYPT_OK) 300 return RX_DROP_U_TKIP_FAIL; 301 302 /* Trim ICV */ 303 if (!(status->flag & RX_FLAG_ICV_STRIPPED)) 304 skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN); 305 306 /* Remove IV */ 307 memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen); 308 skb_pull(skb, IEEE80211_TKIP_IV_LEN); 309 310 return RX_CONTINUE; 311 } 312 313 /* 314 * Calculate AAD for CCMP/GCMP, returning qos_tid since we 315 * need that in CCMP also for b_0. 316 */ 317 static u8 ccmp_gcmp_aad(struct sk_buff *skb, u8 *aad, bool spp_amsdu, 318 bool aad_nonce_computed) 319 { 320 struct ieee80211_hdr *hdr = (void *)skb->data; 321 __le16 mask_fc; 322 int a4_included, mgmt; 323 u8 qos_tid; 324 u16 len_a = 22; 325 326 /* 327 * Mask FC: zero subtype b4 b5 b6 (if not mgmt) 328 * Retry, PwrMgt, MoreData, Order (if Qos Data); set Protected 329 */ 330 mgmt = ieee80211_is_mgmt(hdr->frame_control); 331 mask_fc = hdr->frame_control; 332 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | 333 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA); 334 if (!mgmt) 335 mask_fc &= ~cpu_to_le16(0x0070); 336 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED); 337 338 a4_included = ieee80211_has_a4(hdr->frame_control); 339 if (a4_included) 340 len_a += 6; 341 342 if (ieee80211_is_data_qos(hdr->frame_control)) { 343 qos_tid = *ieee80211_get_qos_ctl(hdr); 344 345 if (spp_amsdu) 346 qos_tid &= IEEE80211_QOS_CTL_TID_MASK | 347 IEEE80211_QOS_CTL_A_MSDU_PRESENT; 348 else 349 qos_tid &= IEEE80211_QOS_CTL_TID_MASK; 350 351 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_ORDER); 352 len_a += 2; 353 } else { 354 qos_tid = 0; 355 } 356 357 /* AAD (extra authenticate-only data) / masked 802.11 header 358 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */ 359 put_unaligned_be16(len_a, &aad[0]); 360 put_unaligned(mask_fc, (__le16 *)&aad[2]); 361 if (!aad_nonce_computed) 362 memcpy(&aad[4], &hdr->addrs, 3 * ETH_ALEN); 363 364 /* Mask Seq#, leave Frag# */ 365 aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f; 366 aad[23] = 0; 367 368 if (a4_included) { 369 memcpy(&aad[24], hdr->addr4, ETH_ALEN); 370 aad[30] = qos_tid; 371 aad[31] = 0; 372 } else { 373 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN); 374 aad[24] = qos_tid; 375 } 376 377 return qos_tid; 378 } 379 380 static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad, 381 bool spp_amsdu, bool aad_nonce_computed) 382 { 383 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 384 u8 qos_tid = ccmp_gcmp_aad(skb, aad, spp_amsdu, aad_nonce_computed); 385 386 /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC 387 * mode authentication are not allowed to collide, yet both are derived 388 * from this vector b_0. We only set L := 1 here to indicate that the 389 * data size can be represented in (L+1) bytes. The CCM layer will take 390 * care of storing the data length in the top (L+1) bytes and setting 391 * and clearing the other bits as is required to derive the two IVs. 392 */ 393 b_0[0] = 0x1; 394 395 /* Nonce: Nonce Flags | A2 | PN 396 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7) 397 */ 398 b_0[1] = qos_tid | (ieee80211_is_mgmt(hdr->frame_control) << 4); 399 if (!aad_nonce_computed) 400 memcpy(&b_0[2], hdr->addr2, ETH_ALEN); 401 memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN); 402 } 403 404 static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id) 405 { 406 hdr[0] = pn[5]; 407 hdr[1] = pn[4]; 408 hdr[2] = 0; 409 hdr[3] = 0x20 | (key_id << 6); 410 hdr[4] = pn[3]; 411 hdr[5] = pn[2]; 412 hdr[6] = pn[1]; 413 hdr[7] = pn[0]; 414 } 415 416 417 static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr) 418 { 419 pn[0] = hdr[7]; 420 pn[1] = hdr[6]; 421 pn[2] = hdr[5]; 422 pn[3] = hdr[4]; 423 pn[4] = hdr[1]; 424 pn[5] = hdr[0]; 425 } 426 427 428 static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb, 429 unsigned int mic_len) 430 { 431 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 432 struct ieee80211_key *key = tx->key; 433 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 434 int hdrlen, len, tail; 435 u8 *pos; 436 u8 pn[6]; 437 u64 pn64; 438 u8 aad[CCM_AAD_LEN]; 439 u8 b_0[AES_BLOCK_SIZE]; 440 441 if (info->control.hw_key && 442 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) && 443 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) && 444 !((info->control.hw_key->flags & 445 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) && 446 ieee80211_is_mgmt(hdr->frame_control))) { 447 /* 448 * hwaccel has no need for preallocated room for CCMP 449 * header or MIC fields 450 */ 451 return 0; 452 } 453 454 hdrlen = ieee80211_hdrlen(hdr->frame_control); 455 len = skb->len - hdrlen; 456 457 if (info->control.hw_key) 458 tail = 0; 459 else 460 tail = mic_len; 461 462 if (WARN_ON(skb_tailroom(skb) < tail || 463 skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN)) 464 return -1; 465 466 pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN); 467 memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen); 468 469 /* the HW only needs room for the IV, but not the actual IV */ 470 if (info->control.hw_key && 471 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) 472 return 0; 473 474 pos += hdrlen; 475 476 pn64 = atomic64_inc_return(&key->conf.tx_pn); 477 478 pn[5] = pn64; 479 pn[4] = pn64 >> 8; 480 pn[3] = pn64 >> 16; 481 pn[2] = pn64 >> 24; 482 pn[1] = pn64 >> 32; 483 pn[0] = pn64 >> 40; 484 485 ccmp_pn2hdr(pos, pn, key->conf.keyidx); 486 487 /* hwaccel - with software CCMP header */ 488 if (info->control.hw_key) 489 return 0; 490 491 pos += IEEE80211_CCMP_HDR_LEN; 492 ccmp_special_blocks(skb, pn, b_0, aad, 493 key->conf.flags & IEEE80211_KEY_FLAG_SPP_AMSDU, 494 false); 495 return ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len, 496 skb_put(skb, mic_len)); 497 } 498 499 500 ieee80211_tx_result 501 ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx, 502 unsigned int mic_len) 503 { 504 struct sk_buff *skb; 505 506 ieee80211_tx_set_protected(tx); 507 508 skb_queue_walk(&tx->skbs, skb) { 509 if (ccmp_encrypt_skb(tx, skb, mic_len) < 0) 510 return TX_DROP; 511 } 512 513 return TX_CONTINUE; 514 } 515 516 517 ieee80211_rx_result 518 ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx, 519 unsigned int mic_len) 520 { 521 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 522 int hdrlen; 523 struct ieee80211_key *key = rx->key; 524 struct sk_buff *skb = rx->skb; 525 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 526 u8 pn[IEEE80211_CCMP_PN_LEN]; 527 int data_len; 528 int queue; 529 530 hdrlen = ieee80211_hdrlen(hdr->frame_control); 531 532 if (!ieee80211_is_data(hdr->frame_control) && 533 !ieee80211_is_robust_mgmt_frame(skb) && 534 !ieee80211_require_encrypted_assoc(hdr->frame_control, rx->sta)) 535 return RX_CONTINUE; 536 537 if (status->flag & RX_FLAG_DECRYPTED) { 538 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN)) 539 return RX_DROP_U_SHORT_CCMP; 540 if (status->flag & RX_FLAG_MIC_STRIPPED) 541 mic_len = 0; 542 } else { 543 if (skb_linearize(rx->skb)) 544 return RX_DROP_U_OOM; 545 } 546 547 /* reload hdr - skb might have been reallocated */ 548 hdr = (void *)rx->skb->data; 549 550 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len; 551 if (!rx->sta || data_len < 0) 552 return RX_DROP_U_SHORT_CCMP; 553 554 if (!(status->flag & RX_FLAG_PN_VALIDATED)) { 555 int res; 556 557 ccmp_hdr2pn(pn, skb->data + hdrlen); 558 559 queue = rx->security_idx; 560 561 res = memcmp(pn, key->u.ccmp.rx_pn[queue], 562 IEEE80211_CCMP_PN_LEN); 563 if (res < 0 || 564 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) { 565 key->u.ccmp.replays++; 566 return RX_DROP_U_REPLAY; 567 } 568 569 if (!(status->flag & RX_FLAG_DECRYPTED)) { 570 u8 aad[2 * AES_BLOCK_SIZE]; 571 u8 b_0[AES_BLOCK_SIZE]; 572 bool aad_nonce_computed = false; 573 574 if (is_unicast_ether_addr(hdr->addr1) && 575 !ieee80211_is_data(hdr->frame_control)) { 576 /* AAD computation */ 577 memcpy(&aad[4], rx->link_addrs, 3 * ETH_ALEN); 578 /* Nonce computation */ 579 ether_addr_copy(&b_0[2], 580 &rx->link_addrs[ETH_ALEN]); 581 aad_nonce_computed = true; 582 } 583 584 /* hardware didn't decrypt/verify MIC */ 585 ccmp_special_blocks(skb, pn, b_0, aad, 586 key->conf.flags & IEEE80211_KEY_FLAG_SPP_AMSDU, 587 aad_nonce_computed); 588 589 if (ieee80211_aes_ccm_decrypt( 590 key->u.ccmp.tfm, b_0, aad, 591 skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN, 592 data_len, 593 skb->data + skb->len - mic_len)) 594 return RX_DROP_U_MIC_FAIL; 595 } 596 597 memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN); 598 if (unlikely(ieee80211_is_frag(hdr))) 599 memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN); 600 } 601 602 /* Remove CCMP header and MIC */ 603 if (pskb_trim(skb, skb->len - mic_len)) 604 return RX_DROP_U_SHORT_CCMP_MIC; 605 memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen); 606 skb_pull(skb, IEEE80211_CCMP_HDR_LEN); 607 608 return RX_CONTINUE; 609 } 610 611 static void gcmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *j_0, u8 *aad, 612 bool spp_amsdu, bool aad_nonce_computed) 613 { 614 struct ieee80211_hdr *hdr = (void *)skb->data; 615 616 if (!aad_nonce_computed) 617 memcpy(j_0, hdr->addr2, ETH_ALEN); 618 memcpy(&j_0[ETH_ALEN], pn, IEEE80211_GCMP_PN_LEN); 619 620 ccmp_gcmp_aad(skb, aad, spp_amsdu, aad_nonce_computed); 621 } 622 623 static inline void gcmp_pn2hdr(u8 *hdr, const u8 *pn, int key_id) 624 { 625 hdr[0] = pn[5]; 626 hdr[1] = pn[4]; 627 hdr[2] = 0; 628 hdr[3] = 0x20 | (key_id << 6); 629 hdr[4] = pn[3]; 630 hdr[5] = pn[2]; 631 hdr[6] = pn[1]; 632 hdr[7] = pn[0]; 633 } 634 635 static inline void gcmp_hdr2pn(u8 *pn, const u8 *hdr) 636 { 637 pn[0] = hdr[7]; 638 pn[1] = hdr[6]; 639 pn[2] = hdr[5]; 640 pn[3] = hdr[4]; 641 pn[4] = hdr[1]; 642 pn[5] = hdr[0]; 643 } 644 645 static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) 646 { 647 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 648 struct ieee80211_key *key = tx->key; 649 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 650 int hdrlen, len, tail; 651 u8 *pos; 652 u8 pn[6]; 653 u64 pn64; 654 u8 aad[GCM_AAD_LEN]; 655 u8 j_0[AES_BLOCK_SIZE]; 656 657 if (info->control.hw_key && 658 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) && 659 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) && 660 !((info->control.hw_key->flags & 661 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) && 662 ieee80211_is_mgmt(hdr->frame_control))) { 663 /* hwaccel has no need for preallocated room for GCMP 664 * header or MIC fields 665 */ 666 return 0; 667 } 668 669 hdrlen = ieee80211_hdrlen(hdr->frame_control); 670 len = skb->len - hdrlen; 671 672 if (info->control.hw_key) 673 tail = 0; 674 else 675 tail = IEEE80211_GCMP_MIC_LEN; 676 677 if (WARN_ON(skb_tailroom(skb) < tail || 678 skb_headroom(skb) < IEEE80211_GCMP_HDR_LEN)) 679 return -1; 680 681 pos = skb_push(skb, IEEE80211_GCMP_HDR_LEN); 682 memmove(pos, pos + IEEE80211_GCMP_HDR_LEN, hdrlen); 683 skb_set_network_header(skb, skb_network_offset(skb) + 684 IEEE80211_GCMP_HDR_LEN); 685 686 /* the HW only needs room for the IV, but not the actual IV */ 687 if (info->control.hw_key && 688 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) 689 return 0; 690 691 pos += hdrlen; 692 693 pn64 = atomic64_inc_return(&key->conf.tx_pn); 694 695 pn[5] = pn64; 696 pn[4] = pn64 >> 8; 697 pn[3] = pn64 >> 16; 698 pn[2] = pn64 >> 24; 699 pn[1] = pn64 >> 32; 700 pn[0] = pn64 >> 40; 701 702 gcmp_pn2hdr(pos, pn, key->conf.keyidx); 703 704 /* hwaccel - with software GCMP header */ 705 if (info->control.hw_key) 706 return 0; 707 708 pos += IEEE80211_GCMP_HDR_LEN; 709 gcmp_special_blocks(skb, pn, j_0, aad, 710 key->conf.flags & IEEE80211_KEY_FLAG_SPP_AMSDU, 711 false); 712 return ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len, 713 skb_put(skb, IEEE80211_GCMP_MIC_LEN)); 714 } 715 716 ieee80211_tx_result 717 ieee80211_crypto_gcmp_encrypt(struct ieee80211_tx_data *tx) 718 { 719 struct sk_buff *skb; 720 721 ieee80211_tx_set_protected(tx); 722 723 skb_queue_walk(&tx->skbs, skb) { 724 if (gcmp_encrypt_skb(tx, skb) < 0) 725 return TX_DROP; 726 } 727 728 return TX_CONTINUE; 729 } 730 731 ieee80211_rx_result 732 ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx) 733 { 734 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 735 int hdrlen; 736 struct ieee80211_key *key = rx->key; 737 struct sk_buff *skb = rx->skb; 738 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 739 u8 pn[IEEE80211_GCMP_PN_LEN]; 740 int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN; 741 742 hdrlen = ieee80211_hdrlen(hdr->frame_control); 743 744 if (!ieee80211_is_data(hdr->frame_control) && 745 !ieee80211_is_robust_mgmt_frame(skb) && 746 !ieee80211_require_encrypted_assoc(hdr->frame_control, rx->sta)) 747 return RX_CONTINUE; 748 749 if (status->flag & RX_FLAG_DECRYPTED) { 750 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN)) 751 return RX_DROP_U_SHORT_GCMP; 752 if (status->flag & RX_FLAG_MIC_STRIPPED) 753 mic_len = 0; 754 } else { 755 if (skb_linearize(rx->skb)) 756 return RX_DROP_U_OOM; 757 } 758 759 /* reload hdr - skb might have been reallocated */ 760 hdr = (void *)rx->skb->data; 761 762 data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len; 763 if (!rx->sta || data_len < 0) 764 return RX_DROP_U_SHORT_GCMP; 765 766 if (!(status->flag & RX_FLAG_PN_VALIDATED)) { 767 int res; 768 769 gcmp_hdr2pn(pn, skb->data + hdrlen); 770 771 queue = rx->security_idx; 772 773 res = memcmp(pn, key->u.gcmp.rx_pn[queue], 774 IEEE80211_GCMP_PN_LEN); 775 if (res < 0 || 776 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) { 777 key->u.gcmp.replays++; 778 return RX_DROP_U_REPLAY; 779 } 780 781 if (!(status->flag & RX_FLAG_DECRYPTED)) { 782 u8 aad[2 * AES_BLOCK_SIZE]; 783 u8 j_0[AES_BLOCK_SIZE]; 784 bool aad_nonce_computed = false; 785 786 if (is_unicast_ether_addr(hdr->addr1) && 787 !ieee80211_is_data(hdr->frame_control)) { 788 /* AAD computation */ 789 memcpy(&aad[4], rx->link_addrs, 3 * ETH_ALEN); 790 /* Nonce computation */ 791 ether_addr_copy(&j_0[0], 792 &rx->link_addrs[ETH_ALEN]); 793 aad_nonce_computed = true; 794 } 795 /* hardware didn't decrypt/verify MIC */ 796 gcmp_special_blocks(skb, pn, j_0, aad, 797 key->conf.flags & IEEE80211_KEY_FLAG_SPP_AMSDU, 798 aad_nonce_computed); 799 800 if (ieee80211_aes_gcm_decrypt( 801 key->u.gcmp.tfm, j_0, aad, 802 skb->data + hdrlen + IEEE80211_GCMP_HDR_LEN, 803 data_len, 804 skb->data + skb->len - 805 IEEE80211_GCMP_MIC_LEN)) 806 return RX_DROP_U_MIC_FAIL; 807 } 808 809 memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN); 810 if (unlikely(ieee80211_is_frag(hdr))) 811 memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN); 812 } 813 814 /* Remove GCMP header and MIC */ 815 if (pskb_trim(skb, skb->len - mic_len)) 816 return RX_DROP_U_SHORT_GCMP_MIC; 817 memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen); 818 skb_pull(skb, IEEE80211_GCMP_HDR_LEN); 819 820 return RX_CONTINUE; 821 } 822 823 static void bip_aad(struct sk_buff *skb, u8 *aad) 824 { 825 __le16 mask_fc; 826 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 827 828 /* BIP AAD: FC(masked) || A1 || A2 || A3 */ 829 830 /* FC type/subtype */ 831 /* Mask FC Retry, PwrMgt, MoreData flags to zero */ 832 mask_fc = hdr->frame_control; 833 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM | 834 IEEE80211_FCTL_MOREDATA); 835 put_unaligned(mask_fc, (__le16 *) &aad[0]); 836 /* A1 || A2 || A3 */ 837 memcpy(aad + 2, &hdr->addrs, 3 * ETH_ALEN); 838 } 839 840 841 static inline void bip_ipn_set64(u8 *d, u64 pn) 842 { 843 *d++ = pn; 844 *d++ = pn >> 8; 845 *d++ = pn >> 16; 846 *d++ = pn >> 24; 847 *d++ = pn >> 32; 848 *d = pn >> 40; 849 } 850 851 static inline void bip_ipn_swap(u8 *d, const u8 *s) 852 { 853 *d++ = s[5]; 854 *d++ = s[4]; 855 *d++ = s[3]; 856 *d++ = s[2]; 857 *d++ = s[1]; 858 *d = s[0]; 859 } 860 861 862 ieee80211_tx_result 863 ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx, 864 unsigned int mic_len) 865 { 866 struct sk_buff *skb; 867 struct ieee80211_tx_info *info; 868 struct ieee80211_key *key = tx->key; 869 struct ieee80211_mmie_var *mmie; 870 size_t mmie_len; 871 u8 aad[20]; 872 u64 pn64; 873 874 if (WARN_ON(skb_queue_len(&tx->skbs) != 1)) 875 return TX_DROP; 876 877 skb = skb_peek(&tx->skbs); 878 879 info = IEEE80211_SKB_CB(skb); 880 881 if (info->control.hw_key && 882 !(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIE)) 883 return TX_CONTINUE; 884 885 mmie_len = sizeof(*mmie) + mic_len; 886 887 if (WARN_ON(skb_tailroom(skb) < mmie_len)) 888 return TX_DROP; 889 890 mmie = skb_put(skb, mmie_len); 891 mmie->element_id = WLAN_EID_MMIE; 892 mmie->length = mmie_len - 2; 893 mmie->key_id = cpu_to_le16(key->conf.keyidx); 894 895 /* PN = PN + 1 */ 896 pn64 = atomic64_inc_return(&key->conf.tx_pn); 897 898 bip_ipn_set64(mmie->sequence_number, pn64); 899 900 if (info->control.hw_key) 901 return TX_CONTINUE; 902 903 bip_aad(skb, aad); 904 905 ieee80211_aes_cmac(&key->u.aes_cmac.key, aad, skb->data + 24, 906 skb->len - 24, mmie->mic, mic_len); 907 return TX_CONTINUE; 908 } 909 910 ieee80211_rx_result 911 ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx, 912 unsigned int mic_len) 913 { 914 struct sk_buff *skb = rx->skb; 915 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 916 struct ieee80211_key *key = rx->key; 917 struct ieee80211_mmie_var *mmie; 918 size_t mmie_len; 919 u8 aad[20], mic[IEEE80211_CMAC_256_MIC_LEN], ipn[6]; 920 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 921 922 if (!ieee80211_is_mgmt(hdr->frame_control)) 923 return RX_CONTINUE; 924 925 mmie_len = sizeof(*mmie) + mic_len; 926 927 /* management frames are already linear */ 928 929 if (skb->len < 24 + mmie_len) 930 return mic_len == IEEE80211_CMAC_128_MIC_LEN ? 931 RX_DROP_U_SHORT_CMAC : RX_DROP_U_SHORT_CMAC256; 932 933 mmie = (struct ieee80211_mmie_var *)(skb->data + skb->len - mmie_len); 934 if (mmie->element_id != WLAN_EID_MMIE || 935 mmie->length != mmie_len - 2) 936 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */ 937 938 bip_ipn_swap(ipn, mmie->sequence_number); 939 940 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) { 941 key->u.aes_cmac.replays++; 942 return RX_DROP_U_REPLAY; 943 } 944 945 if (!(status->flag & RX_FLAG_DECRYPTED)) { 946 /* hardware didn't decrypt/verify MIC */ 947 bip_aad(skb, aad); 948 ieee80211_aes_cmac(&key->u.aes_cmac.key, aad, skb->data + 24, 949 skb->len - 24, mic, mic_len); 950 if (crypto_memneq(mic, mmie->mic, mic_len)) { 951 key->u.aes_cmac.icverrors++; 952 return RX_DROP_U_MIC_FAIL; 953 } 954 } 955 956 memcpy(key->u.aes_cmac.rx_pn, ipn, 6); 957 958 /* Remove MMIE */ 959 skb_trim(skb, skb->len - mmie_len); 960 961 return RX_CONTINUE; 962 } 963 964 ieee80211_tx_result 965 ieee80211_crypto_aes_gmac_encrypt(struct ieee80211_tx_data *tx) 966 { 967 struct sk_buff *skb; 968 struct ieee80211_tx_info *info; 969 struct ieee80211_key *key = tx->key; 970 struct ieee80211_mmie_16 *mmie; 971 struct ieee80211_hdr *hdr; 972 u8 aad[GMAC_AAD_LEN]; 973 u64 pn64; 974 u8 nonce[GMAC_NONCE_LEN]; 975 976 if (WARN_ON(skb_queue_len(&tx->skbs) != 1)) 977 return TX_DROP; 978 979 skb = skb_peek(&tx->skbs); 980 981 info = IEEE80211_SKB_CB(skb); 982 983 if (info->control.hw_key && 984 !(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIE)) 985 return TX_CONTINUE; 986 987 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie))) 988 return TX_DROP; 989 990 mmie = skb_put(skb, sizeof(*mmie)); 991 mmie->element_id = WLAN_EID_MMIE; 992 mmie->length = sizeof(*mmie) - 2; 993 mmie->key_id = cpu_to_le16(key->conf.keyidx); 994 995 /* PN = PN + 1 */ 996 pn64 = atomic64_inc_return(&key->conf.tx_pn); 997 998 bip_ipn_set64(mmie->sequence_number, pn64); 999 1000 if (info->control.hw_key) 1001 return TX_CONTINUE; 1002 1003 bip_aad(skb, aad); 1004 1005 hdr = (struct ieee80211_hdr *)skb->data; 1006 memcpy(nonce, hdr->addr2, ETH_ALEN); 1007 bip_ipn_swap(nonce + ETH_ALEN, mmie->sequence_number); 1008 1009 /* MIC = AES-GMAC(IGTK, AAD || Management Frame Body || MMIE, 128) */ 1010 if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce, 1011 skb->data + 24, skb->len - 24, mmie->mic) < 0) 1012 return TX_DROP; 1013 1014 return TX_CONTINUE; 1015 } 1016 1017 ieee80211_rx_result 1018 ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx) 1019 { 1020 struct sk_buff *skb = rx->skb; 1021 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1022 struct ieee80211_key *key = rx->key; 1023 struct ieee80211_mmie_16 *mmie; 1024 u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN]; 1025 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1026 1027 if (!ieee80211_is_mgmt(hdr->frame_control)) 1028 return RX_CONTINUE; 1029 1030 /* management frames are already linear */ 1031 1032 if (skb->len < 24 + sizeof(*mmie)) 1033 return RX_DROP_U_SHORT_GMAC; 1034 1035 mmie = (struct ieee80211_mmie_16 *) 1036 (skb->data + skb->len - sizeof(*mmie)); 1037 if (mmie->element_id != WLAN_EID_MMIE || 1038 mmie->length != sizeof(*mmie) - 2) 1039 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */ 1040 1041 bip_ipn_swap(ipn, mmie->sequence_number); 1042 1043 if (memcmp(ipn, key->u.aes_gmac.rx_pn, 6) <= 0) { 1044 key->u.aes_gmac.replays++; 1045 return RX_DROP_U_REPLAY; 1046 } 1047 1048 if (!(status->flag & RX_FLAG_DECRYPTED)) { 1049 /* hardware didn't decrypt/verify MIC */ 1050 bip_aad(skb, aad); 1051 1052 memcpy(nonce, hdr->addr2, ETH_ALEN); 1053 memcpy(nonce + ETH_ALEN, ipn, 6); 1054 1055 mic = kmalloc(IEEE80211_GMAC_MIC_LEN, GFP_ATOMIC); 1056 if (!mic) 1057 return RX_DROP_U_OOM; 1058 if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce, 1059 skb->data + 24, skb->len - 24, 1060 mic) < 0 || 1061 crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) { 1062 key->u.aes_gmac.icverrors++; 1063 kfree(mic); 1064 return RX_DROP_U_MIC_FAIL; 1065 } 1066 kfree(mic); 1067 } 1068 1069 memcpy(key->u.aes_gmac.rx_pn, ipn, 6); 1070 1071 /* Remove MMIE */ 1072 skb_trim(skb, skb->len - sizeof(*mmie)); 1073 1074 return RX_CONTINUE; 1075 } 1076